1

Ive been playing around with sslstrip, arpspoof and ip_forward.

I read about the whole process at: http://www.thoughtcrime.org/software/sslstrip/index.html

My goal was to sniff HTTPS connections, passwords and such.

So i have a test setup with different IP´s and i can only see the passwords when i use Internet Explorer. When i try with Chrome or another browser, it just wont work. The connection persist to stay on an HTTPS if i check on my WM-Windows 7 Mashine.

Is there a solution to this?

Daniel
  • 195
  • 4
  • 11

1 Answers1

4

SSLStrip will work on any browser. This attack will fail to work under Firefox and Chrome for websites protected with HSTS. For example Google.com and gmail.com should not be affected by SSLStrip because of HSTS. Internet Explorer is not complaint with RFC-6797, which describes the HSTS security measure and is therefore more susceptible to attacks like SSLStrip.

rook
  • 46,916
  • 10
  • 92
  • 181
  • That's not completely true. You can do sslstrip to a site with HSTS using Chrome. Test it with for example outlook.com you will see that you can sniff in plain. The point is that there is a list of well known sites which browsers have. For example facebook that can't be affected anymore if you use browsers like Chrome or Firefox... because facebook got to be on the "always https" browser's list I guess paying, not sure of how. But outlook.com is not on that list and can be sslstripped even having HSTS. Look my answer [here](http://security.stackexchange.com/questions/86139/risks-of-using-http) – OscarAkaElvis Dec 14 '16 at 00:19